Security of the Bennett 1992 quantum-key distribution against individual attack over 
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The security of two-state quantum key distribution against individual attack is estimated when the 
channel has losses and noises. We assume that Alice and Bob use two nonorthogonal single-photon 
polarization states. To make our analysis simple, we propose a modified B92 protocol in which Alice 
and Bob make use of inconclusive results and Bob performs a kind of symmetrization of received 
states. Using this protocol, Alice and Bob can estimate Eve's information gain as a function of a 
few parameters which reflect the imperfections of devices or Eve's disturbance. In some parameter 
regions, Eve's maximum information gain shows counter-intuitive behavior, namely, it decreases as 
the amount of disturbances increases. For a small noise rate Eve can extract perfect information 
in the case where the angle between Alice's two states is small or large, while she cannot extract 
perfect information for intermediate angles. We also estimate the secret key gain which is the net 
growth of the secret key per one pulse. We show the region where the modified B92 protocol over 
a realistic channel is secure against individual attack. 

PACS numbers: PACS numbers: 03.67.Dd 03.67.-a 
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I. INTRODUCTION 

Quantum key distribution (QKD) is a way to share be- 
tween the sender, Alice, and the receiver, Bob, a secret 
key whose information is not known to the eavesdrop- 
per, Eve. Since the first QKD protocol, called BB84 
protocol, was introduced by Bennett and Brassard [Q, 
several schemes for QKD have been proposed, such as 
Ekert protocol which is based on the nonlocality of 
quantum mechanics, B92 protocol j3|, which uses two 
nonorthogonal states, and so on Q. In each protocol, 
since Eve cannot eavesdrop without disturbing quantum 
states, she will induce some errors or changes in the trans- 
mission rate. In ideal situations where imperfections such 
as transmission losses and dark counting of detectors do 
not exist, one can prove that the QKD protocols are se- 
cure even when Eve employs any kind of eavesdropping 
strategies including so-called collective attack or coherent 
attack, which is the most general attack where a single 
probe is entangled to the whole transmitted pulses. In 
practice, however, imperfections exist and if Eve gets rid 
of imperfections by using her unlimited technology (for 
example, she may replace the noisy channel to a noise- 
less channel) , Eve can disturb quantum states to a certain 
degree and therefore she obtains some information about 
the secret key. Estimation of the amount of information 
extracted by Eve and construction of a secure secret key 
under such situations are not a trivial problem. 

There are several works which deal with the security 
of realistic QKD. In |], ^, 0, [| |{|, it is proven that under 
some conditions the BB84 protocol is secure even when 
Eve employs coherent attack. The security proof in ||] 
reveals a tight connection to the entanglement purifica- 
tion protocol [ |l0| and quantum error correcting codes, 
especially Calderbank-Shor-Steane codes pl[. This proof 



can be also applied to BB84-type protocols such as the 
6-state protocol where the basis information is ex- 
changed over a public channel. The security against the 
individual attack, which is more restricted but more re- 
alistic, was also discussed for the BB84 protocol |k| and 
for the Ekert protocol O . 

On the other hand, we have not yet fully understood 
the security of the B92 protocol. The discussions so 
far concerned with the security against individual attack 
]l5| , In each paper, the single-photon polarization is 
used as a carrier of the quantum signals, and the trans- 
mission loss is not included. In |l5| , Fuchs and Peres have 
calculated the upper bound of Eve's Shannon information 
gain averaged over all transmitted bits. Slutsky and co- 
authers have estimated the upper bound of Eve's Renyi 
information gain in a B92 protocol as a function of the er- 
ror rate when Alice and Bob discard errors jl6) . The B92 
protocol, which uses only two states, is conceptually the 
simplest of all the protocols. In addition, the protocol 
includes a continuous parameter (the nonorthogonality 
between the two states) that can be chosen by the users, 
forming a striking contrast to the BB84-type protocols. 
Further understanding of the security of the B92 protocol 
is thus important not only for the practical applications 
but also for deeper understanding of the nature of quan- 
tum information. 

In this paper, we estimate the security of the B92 pro- 
tocol against individual attack over a realistic channel 
including noises and transmission losses. We assume, 
like in JT^, that Alice encodes the bit values in two 
single-photon polarization states (the original B92 in || 
uses two nonorthogonal coherent states). We consider a 
modified protocol in which inconclusive measurement re- 
sults are also used for the estimation of Eve's information 
gain, in addition to the bit error rate used in the previ- 



2 



ous analyses. The problem is also regarded as one of the 
basic problems of quantum eavesdropping, namely, the 
maximum information leak to an adversary who are sim- 
ulating the noisy quantum channel through which Alice 
transmits Bob a bit encoded on two quantum states. 

We briefly describe how Alice and Bob can obtain the 
secret key whose information available to Eve is negli- 
gibly small. First, Alice prepares nonorthogonal single- 
photon polarization states | ) and 1 1 ) , depending on the 
bit values of the raw key, and sends them to Bob. After 
propagating through the noisy channel or through eaves- 
dropping by Eve, | ) and | 1 ) generally become mixed 
states, po and pi, respectively. Secondly, Bob performs 
measurement whose outcomes are 0, 1 and "?". The 
outcome "?" means an inconclusive result where Bob 
cannot determine which state Alice has sent. Thirdly, 
Alice and Bob discard inconclusive bits and they recon- 
cile the errors in conclusive bits by an error correction 
protocol which is the technique of classical information 
theory to obtain the reconciled key. Finally, in order to 
eliminate Eve's information about the reconciled key, Al- 
ice and Bob shorten their keys via a privacy amplification 
protocol jlH , which is also the technique of the classical 
information theory. How much they should shorten the 
reconciled key depends on how much information about 
the reconciled key Eve could have obtained. The last two 
procedures are done over a public channel. It is assumed 
that Eve can listen to the information exchanged over 
the public channel, but she cannot alter it. By means 
of these techniques, Alice and Bob can obtain the iden- 
tical secret key, even under the imperfections and Eve's 
interference. 

In the above framework, it is important for Alice and 
Bob to estimate Eve's information about the reconciled 
key properly. To estimate this information, we propose 
a slightly modified protocol. The difference between our 
protocol and the original protocol is that when Bob ob- 
tains an inconclusive result, Alice opens which state she 
has sent. Using this extra data, Bob performs data pro- 
cessing which is a kind of symmetrization of the states 
received by Bob. This makes our analysis simpler with- 
out underestimating Eve's ability. We can estimate Eve's 
information by using the symmetrized density matrices. 
Eve's information gain is calculated as a function of a 
few parameters which characterize the symmetrized den- 
sity matrices. Since Bob's symmetrized density matrices 
can be fully characterized by the observed quantities and 
classical communication, the problem we have solved is 
equivalent to the problem of how much maximum in- 
formation Eve can extract while she simulates the noisy 
channel. The answer to this problem has turned out to 
be more complex than expected; We found a counter- 
intuitive phenomenon where the maximum information 
gain is not monotone increasing as a function of the 
amount of noises when the angle between Alice's two 
states is small. We also found that for a small noise rate, 
Eve can extract perfect information in the case where 
the angle of Alice's two states is very small or very large, 



while she cannot extract perfect information for the in- 
termediate angle. We give an explanation that is useful 
to understand these behavior intuitively. 

We also performed an optimization of the angle be- 
tween Alice's two states that makes the rate of the final 
key gain as high as possible. We show that the opti- 
mized angle decreases as the amount of noises and the 
transmission losses increase. Unfortunately, the assump- 
tion of the polarization encoding makes the B92 protocol 
particularly weak against channel losses, so that the key 
gain is always smaller than in the BB84 protocol. 

This paper is organized as follows. In Sec. [0], we de- 
scribe our assumption on the apparatus used by Alice and 
Bob, and the limitation on Eve's strategy. Our slightly 
modified B92 protocol is proposed in Sec. |l|. Then, in 
Sec. |Tv| , we consider Bob's data processing for the sym- 
metrization of the density matrices, and in Sec. [v|, we op- 
timize Eve's eavesdropping strategy and calculate Eve's 
maximum information gain as a function of the param- 
eters that reflect imperfections or Eve's disturbance. In 
Sec. VI, we calculate the secret k ey g ain as a function 
of these parameters. Finally Sec. VII is devoted to the 
summary and discussion. 



II. ASSUMPTIONS 

In this section, we describe the assumptions on the 
abilities of the legitimate users (Alice and Bob) and the 
eavesdropper (Eve) . We put these conditions throughout 
this paper. 

First, we describe what Alice and Bob perform with 
ideal apparatus. The B92 protocol is originally consid- 
ered to use two nonorthogonal coherent states. In this 
paper, however, we assume two nonorthogonal single- 
photon polarization states for the simplicity of analysis. 
We denote the Hilbert space for each pulse as H, which 
contains arbitrary photon number states, and the sub- 
space that contains only one photon as Hi . The subspace 
Hi is two-dimensional reflecting the polarization degree 
of freedom, and the states in Hi are conveniently repre- 
sented by the Bloch sphere. We define \<J V ) and \o\^) 
for — 7r < if < 7r as follows, 

\a v ) = cos-|z+) +sin-|z-), 



and I (j <r 



sin -| z+) 
■ 

— sin — z- 
2 1 



cos — I z— ) 
2 1 

<P i 

+ COS — I 2- 



for <p > , 
-) for <p < 0,(1) 



where | z+ ) and | z— ) are the eigenstates of a z (z com- 
ponent of Pauli matrix) whose eigenvalues are +1 and 
— 1, respectively, ip is the angle between \a v ) and | z+) 
on the x — z plane in the Bloch sphere. 

We assume that Alice prepares the following states de- 
pending on the bit value, 

|0) = \ (T- a >) and|l) = \a a >) (0 < a! < tt/2), (2) 
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FIG. 1: Bob's measurement basis in the Bloch sphere. 



where the parameter a' characterizes the nonorthogonal- 
ity between the two states, such that 



ID 



cos a 



(3) 



When these states are sent to Bob through the noisy 
quantum channel, | ) and | 1 ) generally become mixed 
states, po and pi, respectively. On these states, Bob 
measures the polarization on the basis {| <7_ a ), | <J- a )} 
or {| <7 a ), | Oa)}, which is selected randomly. The 
whole measurement process is described by the follow- 
ing POVM " 
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(4) 

where "V" means the states which contain zero or more 
than one photon, where allowances are made for the ef- 
fect of transmission losses. Fi and F? (i = 0, 1) are shown 
in Fig. [j] schematically using Bloch sphere. Here we al- 
low general cases where a is not necessarily equal to a'. 
We call the events inconclusive where Bob's outcome of 
the measurement is or 1, and the events where Bob's 
outcome is or 1 conclusive. 

In reality, the transmission line and Alice and Bob's 
apparatus is not perfect (see Fig. |J). We assume one 
condition on the character of the imperfection, namely, 
the imperfection is equivalently represented as a noise 
source placed just after Alice's ideal apparatus, and a 
noise source just before Bob's ideal apparatus. Under 
this condition, Fig. || becomes Fig. [| We need some care 
for this assumption. For example, if the noisy photon 
detectors PD1 and PD2 in Fig. |] have different quantum 
efficiencies, we cannot transform this model into Fig. ^ 
directly. However, if Bob interchanges noisy PD 1 and 
noisy PD 2 at random, which effectively makes the ef- 
ficiency of these detectors identical, we can transform 
Fig. into Fig. ||, and the assumption can be met. 



FIG. 2: An example of experimental setup, "noisy PR" is the 
noisy polarization rotator, "noisy PBS" is a noisy polarization 
beam splitter, and "noisy PD1" and "noisy PD2" are noisy 
photon detectors. Our assumption is that this setup can be 
transformed into Fig. til 
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FIG. 3: The model of our setup. The "NS" represents the 
noise source of Alice or Bob's device. Since Alice and Bob 
cannot separate noises due to imperfections and ones due to 
Eve, they should assume, for security, that Eve can also con- 
trol NS, which extends Eve's region up to dotted line. Due 
to this assumption, the legitimate users' apparatuses look like 
ideal. "Ideal PR" is an ideal polarization rotator which ac- 
curately rotates the polarization of photons, "ideal PBS" is 
an ideal polarization beam splitter, and "ideal PD 1 (2)" is 
an ideal photon detector with unit quantum efficiency and no 
dark counting. 



The benefit of the above assumption is that we can 
use a simpler model in which Alice and Bob's appara- 
tus is perfect, in the following sense. In Fig. | the re- 
gion bounded by dash-dotted lines is under Eve's control. 
Suppose that this region is extended up to the dotted 
lines. While this assumption may make the length of the 
final key shorter than the optimum one, at least we can 
avoid the risk of underestimating Eve's ability. In this 
model, every imperfection is attributed to the property 
of the quantum channel, and the analysis is considerably 
simplified. This assumption has been also used in the 
previous works 0, |l7| . 

We assume that Eve's eavesdropping is restricted to 
individual attack. The definition of individual attack is 
that eavesdropping is independently done for each pulse 
and there exists no correlation of events among pulses. In 
the most general individual attack, Eve prepares her aux- 
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iliary system (probe) E in an initial state \w)e, interacts 
it with one pulse sent by Alice via a unitary operation 
U, and performs measurements on the probe E to obtain 
the bit information. We do not impose any restriction on 
Eve's measurement on the probe. We do not treat more 
general attack, such as collective attack or coherent at- 
tack. 



Bob's measurement results were p = 0,1,0,1. He 
can determine the number of events nj lfi (fi — 
0,1,0,1; j — 0,1) where Alice's choice was j and 
Bob's result was pi. Assuming that n to tai is large, 
2nj^/ntotai gives a good estimate of the quantity 
^(F^pj). Bob estimates the maximum informa- 
tion that can be leaked to Eve under the condition 



Tr^pj) = 2n J> /«-totai • 



(5) 



III. PROTOCOL 

In this section, we propose a protocol slightly modified 
from the original one, which makes it possible to identify 
the density matrices of the states received by Bob more 
tightly. The main idea is that Alice and Bob can iden- 
tify the density matrices more precisely by monitoring 
more parameters. In our protocol, Alice and Bob mon- 
itor not only the error rate in conclusive bits, but also 
the statistics of inconclusive bits. This additional infor- 
mation makes it possible to identify the density matrices 



after a symmetrization which is described in Sec. IV 



Our modified protocol consists of the following steps. 

1. Alice determines a bit value j = or j = 1 ran- 
domly, and sends to Bob the single-photon polar- 
ization state | j) defined by Eq. (|^). 

2. Bob performs the measurement described by 
POVM = 0, 1,0,1, V) defined by Eq. (g). 

3. If the measurement result was p, = 1, Bob sets the 
received bit value as j 1 = 0, and if p, = 0, he sets 
j' = 1. In both cases, Bob tells Alice over the 
public channel that the result was conclusive, and 
Alice adopts j and Bob adopts j' as a bit value of 
their raw keys, respectively. If the measurement 
result was p = 0, 1, or V, Bob opens the result p, 
and Alice opens the bit value j in the cases p = 0, 1. 

4. Alice and Bob repeat steps 1-3 n to tai times and 
obtain their raw keys. 

5. Error reconciliation: To make an identical key (the 
reconciled key) from their raw keys, Alice and Bob 
perform an error correction protocol. The recon- 
ciled key consists of "correct bits" which were found 
to be correct and "flipped bits" which were found 
to be incorrect and hence flipped in the error cor- 
rection protocol. In order not to leak the additional 
information about the final key to Eve, a previously 
shared secret key is used to encrypt the communi- 
cation over the public channel. A small length of 
the secret key is also used to make sure that the 
reconciled key is identical, using an authentication 
protocol pl| . 

6. Estimation of Eve's information: After the pub- 
lic communication about the inconclusive events in 
step 3 and the error reconciliation in step 5, Bob 
knows Alice's original bit values for the cases where 



The estimation of Eve's information gain is sepa- 
rately made for the correct bits and for the flipped 
bits. 

7. Privacy Amplification: To eliminate the informa- 
tion leaked to Eve, Alice and Bob produce a secure 
final key by shortening the correct bits and flipped 
bits of reconciled key according to the information 
gains estimated in step 6 via a privacy amplification 
protocol. 

The most important part in the quantum key distri- 
bution through a noisy channel is the estimation of the 
leaked information done in step 6. The detailed proce- 
dures in the proposed protocol above were chosen so as 
to make the estimation easier. First, we use not only the 
error rate in conclusive bits but also the measurement 
results of inconclusive bits to fix the density operator of 
the state delivered to Bob more tightly. Secondly, the op- 
timization of Eve's measurement on her probe system is 
simplified by estimating Eve's information about correct 
bits and flipped bits independently. For the correct bits, 
the state of Eve's probe when the bit value of the final key 
is is a pure state Cq(1 | U | 0) | w)e = | </>o)e, and the 
state when the bit value is 1 is C\ (0 \U | 1 ) | w )e = | 0i)e, 
where Co and C\ are the constants for normalization. 

In our estimation of Eve's information gain on each cor- 
rect bit, we use the information gain I defined through 
the collision probability P{i\v) 2 averaged over possible 
Eve's outcomes v. Here P{i\v) is the posteriori proba- 
bility that Alice's bit value is i (the state of Eve's probe 
was | </>i)e) under the condition that Eve has obtained 
outcome v. The explicit definition of the information 
gain I is 



1= 1 



lo g2EE p H p (^) 



i=0,l v 



(G) 



where P(y) is the probability that Eve obtains outcome 
v. This measure is useful since it directly tells us how 
much we should shorten the key in the privacy amplifi- 
cation jlT], fl8j . The quantity I is maximized by the Von 
Neumann measurement on the basis symmetrically ar- 
ranged around the vectors | <^o)e and | 0i)e 1 1 6 , 19], and 



thus we obtain the maximum information gain for each 
correct bit I Gc which can be written as 



I 



Gc 



log 2 2 



(7) 
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where 

Q = e(0o I 01 >e 



H(o|[/t|i)(o|c/|i)| w > 



VlE< w |(o|c/t|i)|2^| <0 |c/|i)| w ) E| 



( 8 ) 

Note that the same measurement also maximizes the in- 
formation gain measured with respect to Shannon en- 
tropy [19], and its maximum value Icf c is given by 



I Gc = 1 - h 



I- y/T^W 



(9) 



where is the entropy function defined as h(x) = 

-a;log 2 z- (1-x) log 2 (l-x). 

The maximum information gain I for each flipped 
bit can be obtained by merely changing the defini- 
tion of Q with Q' = e(0oI0'i)bi where | o )e = 
C^(O|U|O)|u;)E = and|0' 1 ) E = C((l|U|l)| U ;)E. The 
problem of finding the maxima of I Gc and I Gf reduces to 
finding the minimum of \Q\ or \Q'\, which will be solved 
in Sec. [V| 

In our analysis, we assume, for simplicity, an unrealis- 
tic assumption that Eve can deal correct bits and flipped 
bits independently, which may overestimate the amount 
of the leaked information. If we try to deal these together, 
we need to optimize Eve's measurement in four dimen- 
sional Hilbert space, and the optimization would be more 
complicated. We leave the tight estimation of the leaked 
information in such cases to future investigations. 

We have to be careful about leaked information during 
the error reconciliation protocol. The redundant infor- 
mation used in step 5 contains the partial information of 
the secret key. So, in order to prevent this leakage of in- 
formation, redundancy bits are encrypted by previously 
shared secret key. On the other hand, since we assume 
Eve employs individual attack, in other words the events 
for different pulses are independent, the public communi- 
cation concerned with inconclusive results in step 4 does 
not leak any information about the conclusive results, 
and so we need not to encrypt this communication. 



IV. SYMMETRIZATION OF EVE'S STRATEGY 

In this section, we consider the symmetrization of Eve's 
strategy which simplifies our analysis, but never under- 
estimates Eve's ability. The discussion can be similarly 
applied to the flipped bits. 

The eavesdropping strategy of Eve, specified by the 
unitary operator U, gives the information gain about the 
correct bits of the final key that is determined through 
the quantity Q(U) defined by Eq. (|8|). It also determines 
the density operators pj (j = 0, 1) of the states delivered 
to Bob as follows, 



Pj = Ti'e [U\j)\ 



W EE W 



On the other hand, these density matrices must satisfy 
Eq. (|^) . The problem to be solved is to find the minimum 
value of |Q| under the constraint Eq. (||). 

A standard way of symmetrization would be to replace 
the transformation U to an operation with higher sym- 
metry U, such that Eqs. and ([[o|) still hold, and 
\Q{U)\ > \Q{U)\ holds. Then, Eve's information gain 
can be estimated by minimization of |Q| over possible U 
without fear of underestimation. 

Instead of using such a standard scheme, here we in- 
voke a transformation U -> U s with |Q(Z7)| > |Q(^ S )|, 
but Eqs. (|) and (0) with U replaced by U s are not 
necessarily satisfied. The transformation U ^ II s is ex- 
plained in Appendix A. The states that would be received 
by Bob when Eve performed U s are given by 



Pj = TrE [U*\j)\w) EE {w\{j\(U°y 



(11) 



Due to the symmetry of U s , these states are simply 
parametrized by {0, e, T} as follows: 



fib 



T 1 



r -(a+0) 



(a+9) | 



+ T 2 1 a -(a+e))(^-(a+e) \ + (1 - T)|vac)(vac| 



(12) 



and 



Pi = T (1 - 2 J I a (a+e))(^(a+9)\ 

+ T||a^y)(a(^)| + (1-T)|vac)(vac| ,(13) 

where |vac) is the vacuum state. These density matrices 
are shown in Fig. |J. An important point is t hat the states 
pj are related to pj as in Eqs. (A4)-(A8), and hence, 
the parameters {6*, e, T} should be related to the actually 
observed quantities as follows: 

(l-e)cos0 = Tr[(Fo-F o )p s o ] 
= ^(Tr[(F - F- )p ] + Tr[(Fi - F^p,}) 

= ("o,o - n-o.o + "1,1 - %,i)AHotal (14) 



(1 - e) cos(# + 2a) = Tr[(Iq - Ff)p s } 
i(Tr[(F! - FiVo] + Tr[(F - F g ) Pl ]) 

= (n ,i - n f + m )0 - n 1: g) Metal (15) 



and 



T= l-Tr[F v (p + Pi)/2] 

= "i.M/^total- 



(16) 



j=0,l 11=0,1,0,1 



(10) 



Eqs. (|12[)-(|16D imply that the density operators pg and p\ 
can be completely specified by Bob through the observed 
quantities. 
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FIG. 4: The density operators on x-z plane in the Bloch 
sphere that Bob uses to estimate Eve's extracted information. 
Pq and p\ do not have y components and they are symmetric 
with respect to z axis. 



The above argument is summarized as follows. Sup- 
pose that Eve conducted a strategy U and Bob obtained 
the values of {8, e, T} through the observed quatities and 
relations (Oh-(^6|). The states p S j is determined by Eqs. 
( fl2| ) and (|13|). Then, there exists an attack with unitary 
operator II s satisfying Eq.© and |Q(Z7)| > |<9(?7 B )|. 
Hence, the minimum of |Q(C/)| can be safely estimated 
by the minimization of |Q(?7 S )| under the condition that 
U s satisfies Eq.Q). 

Let us further reduce the minimization problem in 
a convenient form. Using Schmidt decomposition, 
Eqs. (fl2|) and (|l^) lead to the expressions of the total 
pure states 



U s \0)\w) E = X /T {l--)\a_ {a+g) }\ ai ) E 



+ \I T -j\°-(, a +9))\a2)v 



+ Vl - T\ vac) |Ov>e, 



(17) 



and 



U s \l)\w) E = x jT (l- 5 Jk (o+e) )|6 1 ) B 



\/l - T\ vac) I b 



v E ■ 



where \ai) E and | 6»)e(* = 1, 2) arc orthogonal to the 
space spanned by | o v )e and | b v ) E , since Eve knows the 
photon number in this strategy. | a,i) E and | bi) E (i = 1, 2) 
satisfy 

E(ai| aj) E = S it j, E {bi\bj) E = Sij , (19) 
and hence connected by a unitary operator £, namely, 
\bi) E = i\ai) E . (20) 



By applying the discussion in Appendix [A], the unitary 
operator £ is a real orthogonal matrix in the basis W, 
since II s , \cr v ), \<fy), |vac), and \w) are invariant under 
Z w . 

The condition for II s to be unitary can be written as 



E H(o|(t/ s ) t c/ s |i)k) E = <o|i), 

which means 
TTr 



+ (1 — T) cos <f> = cos a', 



where 



costp = 

B = 

Bn = 

B\2 — 



e(Ov| K)e, 

^ Bij \ di ) EE ( Oj|j 



1 - -J cos (a + 6) , 



B21 



1_£) | sin (a-H 



and 



Bo 



— cos (a + 1 



(21) 
(22) 

(23) 
(24) 

(25) 

(26) 
(27) 

(28) 



Note that for arbitrary <p and arbitrary real orthogonal 
matrix £ satisfying Eq. (|22|), there exists a corresponding 
unitary operator U s . 

Using I and Eq. (||), Q(U S ) can be written as a function 
of £ as 



Q(i) = Tr 



where 



A = 



An 
A12 



^ Ajj\ Oj)EE(Ojl) 

(2 - e) sin 2 (a + §) 



[1 - (1 - e) cos(2a + 
A21 - 



y/e (2 - e) sin (2a 



(18) and 



-422 = 



2 [1 - (1 - e) cos(2a + 1 



e cos a 



[1 - (1 - e) cos(2a + 1 



(29) 

(30) 

(31) 
(32) 

(33) 



Therefore, the problem of finding the minimum of |Q(C/)| 
reduces to the problem of finding the minimum of |Q(£)| 
under the constraint 



TTr 



B£ 



cos a 



< 1-T. 



(34) 
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V. OPTIMIZATION OF EVE'S APPARATUS 
AND HER INFORMATION GAIN 

In this section, we determine the minimum of |Q(£)| 
under the constraint Eq. (p4[). It is convenient to intro- 
duce a function <3 m i n (-B) which is defined as the minimum 
of |Q(£)| under the condition 

B(i) = Tr [b(\ = B (35) 

for — .B max < B < i? m ax, where -B max is the maximum of 
Tr[B£] over all f for a given B. Since B X1 B 2 2 -B 2 2 <0, 
is given by 

B 2 max = (B n -B 22 ) 2 +4B 2 2 . (36) 

Note that the relations B(-£) = and |Q(-|)| = 

|Q(|)| imply that Q min (B) = Q min (-B). Several 
properties of Qmm(B) are derived from the fact that 
Qmin(cosa') is equal to the minimum of |Q(£)I under 
the constraint Eq. ( |34| ) when T = 1. Since Eve can 
freely determine the bit value j when cos a' = 0, we have 
Qmin(O) = 0. Moreover, since Eve can always convert 
the initial states |j) to \j') such that (l'|0') > cos a', 
Qmin(-B) is a never-decreasing continuous function for 
B > 0. Therefore, Q m \n(B) = in a range \B\ < B a , 
and Q m in(-B) > for B < \B\ < B max . The minimum 
of |Q(£)| under the constraint Eq. (M) is given by 



cosa / -(l-r) 
when < B 



(37) 



and 



min |Q| = Q n 



cos a' - (1 -T) 
f 



, cosa'-(l-T) 
when ^ '- > B . 



(38) 



As we discuss the detail in Appendix B, in order to min- 
imize \Q\, operator £ must satisfy 



{(vA-XB) 2 ,£} = 0. 



(39) 



where v and A are real parameters which satisfy [(v 1 A) ^ 
(0,0)]. 

The form of operator £ satisfying this condition de- 
pends on the rank of vA — XB. For the moment, we 
assume that £ ^ 0. Since the rank of A is 1 and that of 
B is 2, the rank of vA — XB is 1 or 2. 

First, we consider the case where the rank of vA — XB 
is 2. Let Hq be the subspace spanned by |ai)E and 
|a 2 )E, which is the support of vA — XB, and Hq be 
the complementary space of Ho- Let Ph and Pjj± be 
the projection operators to the corresponding subspaces. 
P Ho [{uA- XB) 2 ,£]P^ o = implies that ||ai) E € Hq and 
£I°2)e £ Hq. Hence the matrix form of £ in Hq with 
respect to the basis {|q,i)e, |&2)e} should be written as 



_ j COS T] 

sin 77 



sin 77 
- cos 77 



(40) 



which we call Type 1, or 



COS T) 



sin 77 



sin 77 cos 77 



(41) 



which we call Type 2. With the help of Eq.(f29J), Q(£) 
and £>(£) for Type 1 are given by functions of parameter 
77 as 

Q {1) (il) = (A n - A 22 )cosr] + 2A 12 smr] (42) 
and from Eq.(j35|) 

B^(r]) = (B n -B22) cost; + 2£i2 sin 77, (43) 
respectively. Similarly, for Type 2, we have 

Q (2) (r)) = (An +^22) cos 77 = cost? (44) 

and 

S (2) (r?) = (fin +5 22 )cos7i 



(1 — e) cos(a + 9) cos 77. 



(45) 



\Q^\ and |(5^ 2 ^| are plotted in Fig. || by solid line and 
dot-dashed line respectively. Note that the choice of £ 



£| ai ) E = cos7i| a x ) E + sin?7| a 3 ) E 
CI a 2 )e = cos 7?| a 2 )e - sin t]| a 4 ) e 



(46) 



where | a 3 )e and | 04 )e are the states orthogonal to Hq 
and e(«3 I 04 )e = 0, yields the same dependence of Q 
and B on 77 as Type 2. When | cos ?y| 7^ 1, this £ does 
not satisfy Eq. (|39]), which means that IQ^H 7 ))! cannot 
be the minimum of |Q(£)|. When | cos 77I = 1, |Q^(?7)| is 
unity from Eq.(|2^). Therefore, we can neglect \Q^\ in 
determining Q mm (B). 

Next, we consider the case when the rank of vA — XB 
is 1. Solving det(iM — XB) = in H , we find that this 
case happens when A = [since detA = from Eqs. (|3l|)- 
@], or 



A _ A11B22 + A 22 Bn — 2A12B12 
v B11B22 — B\ 2 



(47) 



The support of vA — XB is one-dimensional and let us 
write the corresponding pure state as |(z)e G Hq. Let 
|a ± )E € H be the state orthogonal to |a) E - Using the 
same way as the derivation of Eqs. (|i^) and (f4l|), Eq. ( |39| ) 
implies that the matrix form of £ in Hq with respect to 
the basis {|o)e, |a _L ) E } should generally be written as 



1 







cos 77 



(48) 



When A = 0, |Q(£)I is always unity (from Eq.(p9|)), and 
is not relevant for the present problem of finding the min- 
imum of |Q(£)I- The case A = kv is relevant, and we call 
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FIG. 5: \Q\ vs B when a = 10°, e = 0.05, 9 = 15°, and 
T — 0.8. The solid line represents \Q\ obtained by Type 1, 
the dot-dashed line represents Type 2, and the dotted line 
represents Type 3. In this figure, |Q m in| = for < B < Bo 
and |Q n 



= IQmtal for Bo < B < B n 



it Type 3. With the help of Eq.(gg), Q(£) and B(£) for 
Type 3 are given by functions of parameter r\ as 

Q^Hv) = ±[E(a|i|a)E+cosr/ E (a ± |i|a ± ) E ] 

= ±[Tr(AP a )(l - cost;) + cos 77] (49) 

and from Eq.(^5|) 

= ±[Tr(SP a )(l - cosr/) + cosr;Tr(B)](50) 
respectively, where 

A-kB 



B^Xn) = ±[ E (a|B| a ) E + cos? 7E ( a ± |B|a J /L ! 



Pa 



\a)EE{a\ = 



Tr(A - kB) 



(51) 



|q(3,±)| i s plotted in Fig. || by dotted line. In the figure, 
only |Q^ 3: ~' ) | is plotted since IQ'- 3 '" 1 "- 1 ! does not exist. 

Finally, we consider the case where e = 0. In this case, 
Qaiu\{B) can be directly found as 



Q{B) 



B 



cos(a + 1 



(52) 



and B = 0. 

Now, since we have listed up all candidates for Eve's 
optimum operation, we can obtain Eve's maximum infor- 
mation gain by picking up the optimum one numerically. 
We show some examples of Eve's information gain as a 
function of a', a, T, 9 7 and e in Fig. || and Fig. [?]. In these 
figures, we plot Eve's maximum information gain as a 
function of e. Since the parameter e corresponds to the 
noise or the error rate, it might be expected that Eve's 
information gain increases when e gets larger. In Fig. |t], 
however, Eve's information gain starts to decrease from 
the unity when the noise parameter e exceeds a value 
around 0.13. In Fig. ||, the shaded region represents the 
region where Eve's information gain is unity when (a) 
a' = a = 10°, and 6 = 0°, and (b) a' = a = 45° 
and 9 = 0°. We can see again in Fig. pi (b) the counter- 
intuitive behavior that the Eve's information gain is lower 
in the region with larger e. 



FIG. 6: Eve's maximum information gain I Gc vs e when a' 
a = 40°, 6 = 0°, and T = 0.8. 



1 
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FIG. 7: Eve's maximum information gain I Gc vs e when 
a' = a = 10°, = 0°, and T = 0.3. The dashed line is 
the information bound based on Eq. ( |6l| ) . 




a' = a = 45 
9 = 0° 




FIG. 8: Eve's information gain is unity in the gray region 
when (a) a' = a = 40°, and 6 = 0, and (b) a' = a = 10° and 
= 0. 
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In order to explain the counter-intuitive behavior in 
Fig. ^, let us consider the mutual information among the 
classical variables in Alice, Bob and Eve's sites. Let A, 
B, and E be the random variables describing Alice's bit 
value (0 or 1), Bob's measurement result (0, 1, or incon- 
clusive), and Eve's classical data obtained from her at- 
tack, respectively. Let us consider the conditional mutual 
information I(E;A,B|c) = H(A,B\c) - H{A, B\E, c), 
which is the mutual information between Eve and the 
joint system of Alice and Bob for conclusive bits. Here 
c represents the condition that B = or 1, meaning 
that Bob's measurement result is conclusive. The func- 
tion H(A,B\c) represents the entropy of the joint sys- 
tem on condition that Bob obtains a conclusive result, 
and H(A, B\E, c) stands for the conditional entropy of 
the joint system averaged over Eve's variable P, namely, 
H(A,B\E,c) = J2 y Prob(E = y)H{A, B\E = y,c). Us- 
ing the basic properties of the entropy function, we can 
easily see that the following relation holds: 

I(E; A, B|c) + I(A; B|c) = I(A; B, E|c) + I(B; E|c). (53) 

The information I(E;A,B|c) is, hence, bounded as fol- 
lows: 



I(E; A, B|c) < I(A; B, E|c) + I(B; E|c). 



(54) 



The term I(A; B, E|c) in the right-hand side means how 
well the joint system of Bob and Eve can distinguish 
Alice's states on condition that Bob obtains a conclusive 
result, and this term can be bounded from the fact that 
Alice's states are nonorthogonal, as follows. With the 
help of the inequality 

I(A; B, E) > P conc I(A; B, E|c) + (1 - P conc )I(A; B, E|inc) , 

. . . (55) 

where "inc" means B = inconclusive and P CO nc is the 
probability that Bob obtains the conclusive results. For 
= and a' = a, P-onc is given by 



a, 

T 

= - 2- 
4 L 



J P C onc = T[2-(l-e)(cos2a- 
we can bound I(A; B, E|c) as 



I(A;B , E | C) <H*M)< 

J rnnr 



1 



Pr, 



(56) 



(57) 



The second inequality in Eq. ( |57|) comes from the op- 
timum measurement on two nonorthognal pure states, 
which was mentioned in Sec. III. 



The second term I(B; E|c) in the right-hand side of 
Eq.([54|) means how well Eve can control Bob's measure- 
ment outcomes, B — and B — I. Since Bob's POVM 
elements Pq and P- are nonorthogonal, Eve cannot con- 
trol Bob's outcome as she please, and I(B; E|c) generally 
decreases as a decreases. As we discuss the detail in 
Appendix ^|, I(B; E|c) is bounded by 

I(B;E|c) < 1 



sin a 



4(P C o„c/T) 



'1- 



2 (Pconc /P) 



cos a 




Combining Eqs. (|||), (|7|), and (|||), the mutual infor- 
mation I(E; A, B|c) is bounded by 



I(E;A,B|c) < 



1 - h 



1 — Vl — cos' 2 a. 
2 



Pr, 



. 1 sing / _ / 2(P conc /T)- 1 

2 4(P conc /T)V ^ cos a 



(59) 



After the transmission of n pulses from Alice to Bob, 
we expect n conc = ^Pconc conclusive events on average, 
and Eve's information about Alice and Bob's bits for 
these events is bounded by nP conc v. This quantity ap- 
proaches zero when a goes to zero. On the other hand, 
Alice and Bob obtain n cor = nP conc (l — e) correct bits, 
where e is the bit error rate given by 



2 - (1 - e) (cos 2a + 1) 



(60) 



for — and a' = 



The number of correct bits 



does not necessarily approach zero when a goes to zero. 
The information gain per one correct bit, I Gc , cannot 
exceed n conc u/n COI , namely, 



Gc 



< 



1 -e 



xuppcr 



(61) 



Since Shannon information gain I Gc [Eq. (0)] and the 
information gain I Gc [Eq. ([?])] are connected by only one 
parameter Q, we can bound I Gc through Ig Ppor . In Fig. [t], 
we plot this information bound by the dashed line. The 
dashed line decreases as e gets larger. 

To summarize, the counter-intuitive behavior can be 
explained as follows. When a is small, Alice's bit value 
cannot be guessed well from the outside since she encodes 
it into nonorthogonal states. Bob's measurement results 
are also hard to guess since they come from nonorthog- 
onal measurements. As a result, the mutual information 
between Alice and Bob, I(A; B|c), and Eve's information 
I(E;A, B|c), are both upper-bounded by the quantity u, 
which approaches zero when a goes to zero. On the other 
hand, when e is large, the number of the conclusive bits 
is not small even when a is close to zero. This means 
that Alice's bits and Bob's bits for the conclusive bits 
are almost uncorrelated when a is close to zero. Then, 
Alice and Bob construct the correct bits by picking up the 
bits whose values accidentally coincide, through the en- 
crypted communication over the classical channel. In this 
case, the correct bits are essentially generated in this en- 
crypted transmission, and Eve's information gain about 
them is very low. It is, however, not practical to perform 
quantum key distribution in this region, since Alice and 
Bob must use many bits of the initially shared secret key 
to determine the correct bits. 

Figure |^ shows in gray the region where Eve's infor- 
mation gain is unity in the parameter region {a,e} for 
T = 1, 6 = 0, a! = a. The upper-left white region (small 
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FIG. 9: Eve's information gain is unity in the gray region 
{a, e} for T = 1 and 9 = 0. 



a and large e) corresponds to the counter-intuitive be- 
havior we have just discussed. The figure shows another 
interesting behavior for small e; Eve's information gain 
is unity only when a is small or large, and is not unity 
for intermediate values of a. For T < 1, the region for 
the full information gain for Eve has a similar shape to 
Fig. [| but is wider because the transmission loss gives 
advantage to Eve. In order to understand this behavior 
at T — 1, we consider the following specific individual 
attack that gives Eve the perfect information about the 
correct bits. 

If Eve is sure that the state |1)(= |c Q )) released by 
Alice always evolves to |0)(= |f-a)) ancl then reaches 
Bob, Eve can be sure that the value of the conclusive bit 
surviving the error discarding procedure is 0. The sim- 
plest way to perform this attack is to rotate the system 
counter-clockwise by angle 2a in the Bloch sphere (see 
Fig. [l]) . To keep the symmetry, for half of the cases Eve 
rotates the system by angle —2a. For the latter cases 
she can be sure that the value of the correct bit is 1. In 
this attack, the averaged state p\ received by Bob when 
Alice has emitted |1) is given by p\ — (|er_ Q )(<7_ Q | + 
|o"2a)(cT2a|)/2 = cos 2 a|cr Q ) (a a \ + sin 2 a\a^)(oa\. This at- 
tack is thus successful when e = 2 sin 2 a, which coincides 
with the upper boundary in Fig. g. 

The above "rotating" strategy can be improved by per- 
forming a weak measurement before the rotation, so that 
it can be used for smaller values of e. The weak measure- 
ment with outcomes { + , — } is described by the POVM 
{A + ,A„}, where 



A, 



{l-q)\x+)(x + \+q\x-)(x-\ 



and 



i_ = q\x+)(x + | + (1 - q)\x-){x - \ 



(62) 



(63) 



The parameter q (0 < q < 1/2) represents the weakness 
of the measurement. If Alice has emitted \j) (j = 0, 1), 
the outcome "+" and "— " occur with probability pj + = 
(j\A + \j) and Pj_ = (j\A^\j), respectively. When this 
weak (projection) measurement produced outcome "+" , 



the angle (5 (in the Bloch sphere) between the postmea- 
surement states y A+|0) and y -A+|l) is given by 



cos 2 (/3/2) = |(0|i + |l)|7(p 0+ Pi- 



(64) 



The outcome "— " gives the same angle by the symmetry. 
The angle (5 is monotone increasing from to 2a as a 
function of q £ [0, 1/2]. 

After this measurement, Eve rotates the system de- 
pending on the outcome. For "+" , she rotates it so that 

A|_|0) becomes |1). The state \J A + \l) moves to \<r a +p) 
in this rotation. When the outcome is "— ", she rotates 

it so that -J A-\-\l) becomes |0). In this attack, the av- 
eraged state p\ received by Bob when Alice has emitted 
|1) is given by p\ = pi-\a- a ){a- a \ + pi + \a a +p){a a +p\. 
This state can be written in the form (1 — e/2)\a a )(<J a \ + 
(e/2)\oa)(da\ when 



sin/3/ sin 2a = p±-/pi+ 
holds. In such a case, the value of e is given by 



e= 1 - 



sin(2a + j3) 
sin 2a + sin /3 



(65) 



(66) 



The equation ( p5|) has two solutions in q £ [0, 1/2], q = 
qo(ot) and q = 1/2. The case of q = 1/2 corresponds 
to the simple rotating strategy described before. The 
strategy corresponding to the other solution q = qo(a) 
turns out to give the lower boundary in Fig. ^. The entire 
gray region in Fig. ^ is then covered by simply mixing the 
two strategies corresponding to q = qo(a) and q = 1/2. 

The behavior for small e shown in Fig. ^| will now be 
understood as follows. When a is small, the simple ro- 
tating strategy with the small rotation angle 2a causes 
only a small disturbance, and it can be used to obtain 
small e. When a is large and the two states can be well 
distinguished, the improvement of the strategy by the 
measurement is quite effective to reduce e. For interme- 
diate values of a, po+/pi+ cannot be close to zero. Since 
Po+ = Pi— j the angle (3 cannot be close to zero either, 
due to the constraint (|65[). Consequently, as is implied 
by Eq. (|66|), even the improved strategy cannot reduce e 
close to zero. 



VI. SECRET KEY GAIN 

In this section, we show the calculation of secret key 
gain and the optimum angle of Alice's states to obtain 
optimum secret key gain. For simplicity, we assume that 
a = a' and 9 = 0. The calculation for more general cases 
is straghtforward. 

We define the secret key gain G as the net growth of 
the secret key per one pulse. Alice and Bob can increase 
the length of the secure secret key in the region where G 
is positive. 
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In the calculation of key gain, we assume the error cor- 
rection protocol whose number of redundancy bits used 
to detect the errors of the raw key are equal to the Shan- 
non limit, i.e., nh(e), where n is the length of the raw key, 
e is the bit error rate of the raw key given by Eq. ( |60| ) , and 
h(e) is entropy function. We further assume that the pri- 
vacy amplification |18 is applied to the correct bits and 
to the flipped bits independently. Since Eve may not be 
allowed to adopt the strategy that is simultaneously opti- 
mum both for correct bits and flipped bits, this protocol 
may be overkill but never underestimates Eve's ability. 

For the privacy amplification of the correct bits, we use 
Eve's information estimated via the method described in 
the previous sections. From these bits Alice and Bob 
obtain G" ew bits per pulse of new secret key, which is 
written as 



G" 



p conc (i-e)(i-r 



Gc\ 



{s c /n to 



taU 



(67) 



where P C onc is given by Eq. (pq) , ntotal is the number of 
pulses emitted by Alice, and s c is the security parame- 
ter for correct bits. Eve's information about the secret 
key obtained from the correct bits is less than 2~ Sc /ln2 
(bits). 

For flipped bits, Alice and Bob obtain G" cw bits per 
pulse of new secret key, which is written as 

Gf w = P conc e(l - I Gf ) - (s//n total ) . (68) 

Eve has information less than 2~ s J , /ln2 (bits) about the 
secret key from the flipped bits. The information gain 
for flipped bits I Gf can directly be obtained by replacing 
9 with —2a — 9 in the formula in Sec. IV. 



Noting that the redundancy bits used in the error cor- 
rection protocol are encrypted by consuming P CO nch(e) 
bits per pulse of the initially shared secret key, we obtain 
the expression of the secret key gain G as follows, 



Me) 



/-(new 

- Lt c 

- Pco„c [(1 - e)(l - I Gc ) + e(l - I Gf ) - h(e)} 

- (s c + s/)/n to tai • (69) 

In the limit of long key, i.e., ntotai — ► oo, G is reduced to 

G = Pconc [(1 - e) (1 - I Gc ) + e(l - I Gf ) - h(e)} . (70) 

In B92 protocol, if a'(= a) is changed, the secret key 
gain will be changed. So, Alice and Bob should optimize 
this angle to obtain higher secret key gain. In F ig. [ic| , 
we optimize a' (= a) for fixed values of T and e [E4| to 
obtain high secret key gain, and plot the key gain and the 
optimized angle as a function of e. The points "A" and 
"B" represent the cases when e = and when the key 
gain vanishes, respectively. In the figure, as e increases, 
the optimum angle tends to be smaller, and the region 
where optimum angle a' = implies that our protocol 
does not work. In the figure, there is only a negligible 
contribution of flipped bits to the key gain. 
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FIG. 10: (a) The optimized secret key gain per pulse and 
(b) optimal angle a° as a function of e. T = 0.8, a' = a 
and 8 = 0°. "A" represents the angle when e = and "B" 
represents the angle when the key gain vanishes. 



To investigate the T dependence on the optimum angle 
which are represented as "A" and "B", we plot these 
angles as a function of T in Fig. |ll|. For "A", the key 
gain has a simple expression 



T 

G = -(l-cos2a') 

4 v ' 



1 - log 2 2 




In Fig. [n], it is seen that as T gets larger, the optimum 
angle tends to get larger. In Fig. |l2|, we plot e of "B" 
as a function of T. The region below the curve means 
the parameter region of {T, e} where a secure key can be 
produced in our protocol. 

Finally, to compare the security of B92 with that of 
BB84 assuming an ideal single-photon source, we con- 
sider the dependence of G as a function of distance be- 
tween Alice and Bob, while imperfection factors such as 
dark counting of detectors and losses of optical fibers are 
fixed. For the purpose of this comparison, we consider 
the case where Bob uses photon counters which can dis- 
criminate no photon, single-photon, and higher number 
of photons. Let I, L c , L r , u, and r] be the length of 
transmission line (km), the channel loss (dB/km), the 
receiver loss (dB), the mean dark count per pulse (which 
is given by v = r rcs i?dark where i?dark is the dark count- 
ing rate and r res is the resolution time of the detector 
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FIG. 11: The T dependence of'A" and "B" 
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FIG. 13: Comparison of B92 (solid line) with BB84 (dotted 
line) in the case where L c — 0.2(dB), L r = l(dB), v = 2 x 
10 _4 (per pulse), and r\ = 18 (%). The dotted line represents 
BB84 and solid line represents B92 protocol. 



transmission rate T directly gives an advantage to Eve 
in the B92 scheme using photon polarization. 



VII. SUMMARY AND DISCUSSION 



FIG. 12: The maximum value of e up to which the secret key 
gain is positive as a function of T. 



and electronic circuitry) , and the detection efficiency re- 
spectively. In this case, T is given by p5| 

T = e~ u n io-(^ +i ")/ 10 + e"* - io-(^+M/iO) ? 

where we assume that the dark counts are Poissonian 
events. From this equation and 



T 



i){i\ 



•„(1 - 10 -(IL.+ir)/10) ! 

2 



T 

= (l-e)|»)<*| + |l, 
e can be written as 

_ e- y i/(i - 

6 ~~ T 



(73) 



(74) 



In Fig. [13|, we plot log 10 G as a function of distance Z(km). 
In the figure, we put a(a') = ll(degree) which is almost 
optimum, and experimental data is taken from KTH p6[ . 
For the secret key gain of BB84 protocol in the figures, 
we used the formula for the single-photon case in |13| , 



T 

G=-[l 



log 2 (l + 4e-4e 2 ) + elog 2 e 
- (l-e)log 2 (l-e)], (75) 



where e = z//(2T), assumin g t hat the errors stem from 
the dark counting. In Fig. [13|, it is seen that B92 pro- 
tocol is far less efficient, which is mainly because a low 



Throughout this paper, we have estimated Eve's infor- 
mation gain I Gc . But as Bennett et al. pointed out in 
Sec. VI of [Gl|, if eavesdropping is independently done for 
each pulse, privacy amplification using information gain 
based on the expected collision probability is overkill. In 
such case, it follows that it may be sufficient to estimate 
Eve's information gain by Shannon entropy. In the case 
where Eve employs the symmetric von Neumann mea- 
surement, the proof in [ |l8| assures that Shannon entropy 
is enough for the estimation. Maximizing Eve's informa- 
tion gain with respect to Shannon entropy is equivalent to 
the problem of minimizing |<5| 2 , which is the same prob- 
lem as the maximization of Eve's information gain I Gc . 
So, our method described in the previous sections can 
be directly applied to this problem. We plot an example 
of the secret key gain for some cases when we estimate 
Eve's maximum information gain by Shannon entropy in 
Fig. [l4|. We see that the key gain is higher than the case 
where Eve's information is estimated by I Gc . 

Another candidate which may make the key gain 
higher is error reconciliation protocols. There may be 
the case where error discarding protocols |23[| are more 
efficient than the error correction protocol, because the 
redundancy bits consumed in a discarding protocol may 
be less, for Alice and Bob do not need to keep the dis- 
carded bits secret in the error discarding protocol. In 
the calculation of all figures in Sec. 0, we have checked 
that there is no contribution of the flipped bits to the 
secret key, which implies that the use of an error dis- 
carding protocol may be more efficient than that of an 
error correction protocol. 

Since the density matrices which Alice emits are fixed 
as well as those which are received by Bob, the problem 
of our estimation of quantum key distribution over a re- 
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-0.0021 

FIG. 14: The secret key gain vs e in the case of T = 0.3, 
a' — a = 12° and — 0°. Eve's information is estimated 
by Shannon entropy (solid line) and I Gc (dotted line). The 
estimation by Shannon entropy is more efficient. 



alistic channel is reduced to the problem that how much 
information Eve can extract on the condition that both 
initial density matrices pi (i — 0, 1) and final density 
matrices p\ are fixed. In the realistic situation, however, 
since the number of pulses ntotai which are emitted by 
Alice is finite, we cannot uniquely identify the final den- 
sity matrices. In such a situation, by considering the 
standard deviation of Bob's data, we can pick up the 
candidates of the final density matrices, and we can es- 
timate Eve's maximum information gain by comparing 
information gain for each candidates. 

To summarize this paper, we derived a formula that es- 
timates Eve's maximum information when Alice and Bob 
perform B92 protocol using two nonorthogonal single- 
photon polarization states. We have assumed that Alice 
can emit a single photon and Eve employs individual at- 
tack. The problem is equivalent to ask how much infor- 
mation can be extracted while simulating a noisy channel 
through which Alice communicates with Bob by send- 
ing the two nonorthogonal states. The dependence of 
the maximum information on the noise parameter shows 
nontrivial behavior. It decreases as the noise increases in 
some parameter regions. For a small noise rate, Eve can 
extract perfect information in the case where the angle 
of Alice's two states is very small or very large, while 
she cannot extract perfect information for intermediate 
angles. Using the formula, we plot the secret key gain 
as a function of various parameters reflecting interven- 
tion by Eve. We also investigated the optimum angle 
between the two states to obtain large secret key gain, 
and showed the region of the parameters where this key 
gain is positive. A comparison of our protocol with BB84 
protocol shows that B92 protocol with single photon po- 
larization is less efficient than BB84 protocol, which is 
mainly because a low transmission rate T directly gives 
an advantage to Eve in the B92 scheme using photon po- 
larization. This drawback may be compensated in the 
original B92 protocol using two nonorthogonal coherent 
light, or in the 4+2 protocol that uses the switching of 
the basis as in BB84 while retaining the nonorthgonality 
as a freely adjustable parameter. We leave the security 



problems of such protocols to future studies. 

We have assumed throughout this paper that eaves- 
dropping is independent for each pulse. Even within the 
independent quantum operation, Eve can obtain a cor- 
relation among her eavesdropping outcomes by choosing 
her strategy depending on the outcomes which have been 
already obtained. The estimation against such attack 
is important for the realistic purpose, but we also leave 
this problem for future studies, along with the security 
against collective attack or coherent attack. 
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APPENDIX A: SYMMETRIZATION OF EVE'S 
STRATEGY 

In this appendix, we construct a symmetrized strategy 
II s , which possesses higher symmetry and the same power 
as the actual strategy U, namely, \Q(U S )\ = \Q(U)\. The 
problem of minimizing |Q| over possible U is then sim- 
plified to the minimization over possible U s . Similar dis- 
cussion is seen in Appendix A of (jl6| . In addition to the 
symmetry, this reduction makes the analysis simpler be- 
cause the states delivered to Bob by the strategy U s are 
completely specified by the observed quantities. 

First, consider a strategy U' in which Eve conducts an 
additional (nondestructive) measurement of the photon 
number just after the original strategy of U satisfying 
Eqs. (g) and (]To|) . After this measurement, if the out- 
come of this measurement is one photon, she sends the 
projected state to Bob, but if the outcome is no photon 
or more than one photon, she always sends the vacuum 
state | vac). The states p'j(j = 0, 1) delivered to Bob in 
this strategy are given by 

$ = PiPjPi + (1 - Tj) | vac ) (vac | , (Al) 

where P\ is the projection onto the subspace Hi of one 
photon and 

T S = 1 - Tr[F vPj ] , (A2) 

which is the probability that Bob detects a single-photon. 
Since Tr(i>;) = Tr(i> 3 ) (p = 0,l,0,l;j = 0,1), the 
strategy U' satisfies the condition Eq. (||), and the ad- 
ditional measurement only gives Eve extra information, 
IQ(f')l < 1*9(^)1 holds. Hence, in finding the minimum 
of |Q(f7)| under the condition Eq. (||), we are allowed to 
assume the additional assumption that pj is equal to pij 
and is written as 

Pi =T J p J + (l-T J )|vac)(vac|, (A3) 
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where pj = PipjP±/Tj is a normalized density operator 
in //,. 

Next, take a basis of the signal space H that includes 
| z+), | z—}, and | vac) as elements, and take a basis of 
Eve's probe space that includes \w). The product states 
of the two bases form a basis of the combined system, 
and let us denote it as W. Let Z\y be the transforma- 
tion which replaces all the vector components and the 
elements of matrices in the basis W with their complex 
conjugates. Since the initial states \j)\ w)eU = 0, 1) and 
Bob's measurement {F^} are invariant under the trans- 
formation Z\v, and the probabilities of events in quan- 
tum mechanics are given by moduli squared of vector 
inner products, the strategy given by the unitary opera- 
tor ZyfUZ^ 1 gives the same amount of the information 
gain to Eve as the strategy U. 

Similarly, let a z = \z+)(z + | — \z— )(z — | be the tt 
rotation around the z axis in the Bloch sphere, and R be 
the extension of a z to the entire space (R = (a z © Fy) (g> 
1e, where subscript E means Eve's probe space). Since 
the changes in the initial states \j) \w)e(j = 0,1) and 
Bob's measurement {F^} under the transformation R is 
just the interchange of the bit values and 1, the strategy 
given by the unitary operator RUR^ 1 gives the same 
amount of the information gain to Eve as the strategy U. 

Since the four strategies U, ZwUZ^ 1 , RURr 1 , and 
RZyjU Z^ R^ 1 give the same amount of information 
gain, the strategy in which Eve randomly chooses one of 
the four unitary operations also gives the same amount 
of information gain. In other words, if we write the uni- 
tary operator corresponding to this randomized strategy 
as II s , then \Q(U S )\ = \Q(U)\ holds. The states p s and 
p\ delivered to Bob in this strategy are given by 



From these expressions, we have 

Tr[a,p/] = 0, 



(A9) 



where a y = / : 



\z-)(z+\-i\z+)(z-\. Eqs.dAJ and flAg) 



implies that are written in the Bloch sphere as in 
Fig. [|. Taking the parameters 9 and e as in Fig. [| (the 
sign of 9 is positive in the clockwise), p^ can be written 
in a diagonalized form as in Eqs. (02) and (ph. 



APPENDIX B: OPTIMIZATION OF EVE'S 
APPARATUS 

In this appendix, we derive Eq. ( |39| ) . In order to deter- 
mine the function Q m i n (B), we use Lagrange's method of 
undetermined multipliers. Bo is the maximum of B(£) 
under the condition that Q(£) — 0. Hence, if B(£) = Bq 
and Q(£) = 0, such £ satisfies 



5(B(£) - vQ(0) = 



(Bl) 



for any variation of £. Qmm{B) for Bq < B < B max 
is determined by minimizing Q 2 (£) under the condition 
that -B(C) = B. Suppose that Q 2 (£) takes its minimum 
at £ under the condition that B(£) is fixed. Then, at 
least one of the following conditions holds, namely, 



6B(i) = 



(B2) 



for any variation of £, or, there exists real A' such that 
S(Q 2 (i)-X'B(i))=0 (B3) 



and 



where 



Pa 



Rp x R~ 

Z w RpiR~ 1 Z w 1 ) 

r^ + (l-T)|vac)(vac| 



Pi = -(pi + Z w p 1 Z w 1 + Rp R 1 

+ Z w Rp Q R 1 Z^) 

= r^ + (l-T)|vac)(vac|, 



(A4) 



(A5) 



Pi = -^[ToiPo + ZwPoZ^+T^R^R- 1 
+ Zy/RpiR 1 Z W 1 )], 



Pi = cr z pl<7 z , 



(A6) 



(A7) 



and 



for any variation of £. Since Q(£) 7^ in the considered 
region, the condition (B3) is equivalent to 



(B4) 



6(Q(i)-\B(Z)) = 0, 



where A = X'/2Q. The three conditions (|Bl|), QB2D , and 



( B4 ) can be cast into a common form, namely, there exist 
real v and A \{v, A) 7^ (0, 0)] such that 



6(vQ(i) - XB(i)) = 



(B5) 



for any variation of £. In determining Bq and Q m in{B), 
it is sufficient to consider only the operator £ satisfying 
the above condition. 

Since £ is a real orthogonal matrix in the basis W, any 
variation of £ can be written as £ — * £ (1 + N5), where N 
is an arbitrary real antisymmetric matrix in W and S i s 
an infinitesimal real number. Then, the condition (B5) 
means 



Tr (vA-XB)£N =0 



(B6) 



T _n + T L = 1 _ Ti[Fv{po+pi)/2l (A8) 



for any N whose matrix form in W is real and anti- 
symmetric. This condition is satisfied if and only if 
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(yA — XB) £ is a real symmetric matrix in W. Since 
{vA — XB) is a real symmetric matrix and £ is a real 
orthogonal matrix in W, we have 



and hence 



(yA - XB) £ = ^(vA - XB) 



[M-AS) 2 ,C] = 0. 



(B7) 



The mutual information I(B;E|c) can be written as 

I(B;E|c) = H(B\c) -H(B\E,c) 
T 



< 1 



Pr, 



^P( 7 )P(c| 7 )ff(S| 7 ,c)^G4) 



(B8) The entropy H{B\ r ), c) is given by 



APPENDIX C: THE UPPER BOUND OF I(B;E|c) 

In this appendix, we derive an upper bound of I(B; E|c) 
in Eq. (|58|), assuming that Eve freely prepares quantum 
states and sends them to Bob. We only require that Eve 
should not change the values T and P CO nc- Hence, Eve's 
strategy is generally described as she sends a single pho- 
ton with its polarization in the state p 7 with probability 
P(j)T, and she sends the vacuum with probability 1 — T. 
The probability P(j) should satisfy 



7 

and p 1 and P( 7 ) should satisfy 

^P( 7 )P(c| 7 )=P conc /T. 



(CI) 



(C2) 



Here P(c|7) is the probability of obtaining conclusive re- 
sults for the state p 7 , which is given by 

P(c| 7 ) = Tr[(Po+P T )p 7 ] 
= Tr 



1 



rr ml v , I |P(0|7,C)-P(1| 7 ,C)| 

H(B\-f,c) = ft I i - 

Jl |Tr[(Po-P T )p 7 ]|\ 



2P(c| 7 ) 



(C5) 



Using 



Fo-P T =^a x (C6) 
and the relation Tr(<7 z p 7 ) 2 + Tr(<7 x /Xy) 2 < 1, we obtain 



„,„, . , / 1 sin a / A- 2P(c|7) 
= 9(P(c\l)) , 



(C7) 



Since the function x — > xg(x) is convex (we have con- 
firmed this numerically), I(B;E|c) in Eq. ( p4j ) is maxi- 
mum when P(c|7) = P CO nc/T for all 7, and we obtain the 
result 



(cos 2 I \z+) (z + I + sin 2 I |z-) (z - |) p 7 

(C3) which is Eq. 



I(B;E|c)<l-g(Pconc/T). 



(C8) 



= - [1 - cosaTr(er z p 7 )] 
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